Before we start building different scenarios, let's discuss my lab setup in some details. It is important to understand what components I have in my lab, what protocols I have enabled in my lab, what integration I have between these components. Because if you are building your home lab you need to have something similar if you want to follow the same scenarios I do in this course. Or even if you have your production environment it is good to understand the differences between your production environment and my lab setup. You can still implement the same scenarios if you have different setup than what I have in my lab but at least it is good to understand what I have in my lab setup. Because during the scenarios it is good to know exactly what is the current configuration and current setup I have in my lab. This is my lab setup. I have Instant AB to connect the devices by wireless. I have two SSIDs, Secure and Guest. You may have Aruba Controllers or maybe Aruba Instant managed by Central. It is almost the same, the configuration from ClearPass, the integration we discussed between a ClearPass and Azure Cloud is almost the same. Actually, the differences are very minimal even when it comes to configuration of Instant, or Controller, or Instant from the Cloud, from Central, is very similar. Our focus will be mainly about the integration between ClearPass and Azure. Regardless of what product you have for wireless, it is almost the same. But just for your knowledge, I have Instant in my home lab. For ClearPass, I have one ClearPass server, it has CPPM1. For sure, if you have production environment you may have more than one server but as I mentioned before in my lab, I'm trying only to build the basic setup to test the features. My objective is not to build full production environment with high availability. It is only a home lab mainly to test features and what I show here can be implemented even if you have multiple ClearPass servers. I have one ClearPass server and this is the IP address. I have one active Directory domain server, and as I mentioned before, for me to minimize the amount of hardware needed in my environment, the same server is used as Active Directory certificate server and as a [inaudible] for VPN. It is the same server doing multiple functions which is not typical actually and even not recommended by Microsoft. It is only a home lab. I want to implement everything with the minimum hardware, so a new environment there's a good chance that you have these features implemented on different nodes and maybe on multiple nodes for each feature. For us, we focus only about the integration between ClearPass and Azure, so I built everything with the same server. Myself on my Active Directory has certificate connector. It is BKCS certificate connector with Intune. Intune can request certificates from my ADCS, and also ADCS can issue certificates to devices managed by Intune. I also have Azure Active Directory Connect Cloud sync to sync my local accounts in on-prem AD with Azure AD, so the accounts I create here will be replicated or synced to Azure AD along with the groups and other details. I also have VPN between my home lab and Azure AD. I configured the same Active Directory as RRSA and I have VPN gateway configured in my Azure Cloud. This VPN gateway has its own gateway subnet, and the VNET I have in my Cloud right now is 10.0.0.0/16. I call the VPN as Cloud Integration Course, so this VNET was built only for this course. Right now, there are no servers in this VNET. We need it actually because later on in Part 4 of this course, we will build one ClearPass Instant. This will be created actually, it is not there right now. We will create this node, we will integrate it with the current node on-prem. We will build cluster between them, so right now it is not there but it is something we will have in the future. Just to start in my lab, I have this already set up. I have the gateway setup, I have the gateway subnet setup, and I have the VNET I created already. The VNET is 10.0.0.0/16. All resources I built for this course in Azure, I marked it with the name Cloud Integration Course, so I know exactly what resources I created for this course. I had all of them in one resource group with the same name Cloud Integration Course to make things easy for me to identify the sources I created for this course, so I can easily delete them later on after this course. If you are building a home lab it is a good practice may be to have all resources you build for that test or for this demo in one resource group. It is up to you actually when it comes to designing your Azure or your Azure deployment. You need to follow Microsoft documentation and best practices but this is what they have and what I used in my setup. I have public certificates on all my nodes. I have certificates created from 0SSL, so I have public certificates for radius and for HTTPS in my ClearPass, I have public certificate in Instant also. I'm using public certificates in all nodes in my setup. I have one domain used for this course. The domain name is mycloudcourse.com. This is the domain I use in this course. It is only for this course and it was created mainly and only for this course. If you are building a lab setup you may request your own domain for testing because having public certificates makes things easier sometime when it comes to testing or integration, and you can go for cheap domains or low-cost domains. It is only my suggestion you still can build things your own way. This is the lab setup when it comes to the main setup. Now, let's talk a little bit about the wireless LAN or current wireless LAN. As I mentioned my home lab is already built with basic AD configuration. I have two SSIDs in my lab right now, I have one SSID called Secure, so SSID name is Secure. SSID uses EAP-PEAP right now against local AD which is typical in most enterprises right now. It has very basic rules. The rule say if a device is part of the domain, client or user will get full access. If it is a personal device this company allow for BYOD, and in this case personal devices will get Internet only. When it comes to Guest SSID, they have Guest SSID already. Guest SSID has captive portal, and it authenticate the users against local guest database. Self registration is allowed and permitted, and we will use this portal actually in our scenarios for other usages also. When it comes to wireless, this is the setup. I have instant AD broadcasting two SSIDs. I have my own clear path and when it comes to secure, it is EAP-PEAP against the Active Directory. When it comes to guest, it is actually open SSID authenticating users against Guest User Database and we have self registration enabled. When it comes to AD or Azure AD, this is the current setup and requirements I have. Actually, the setup is similar or the groups are the same in AD and Azure AD mainly because they have sync between them, so groups and users are replicated or synced between on-Prem AD and Azure AD. The first group is contractor. I do have some external users connecting to my environment. They are contractor actually, and their devices are unmanaged. I cannot install any software on these devices on permanent basis. I cannot manage these devices, I cannot ask them to join my domain. They own their devices, and they need to connect to my wireless to gain access to certain resources. They want to have some access or some leverage more than Internet so they need to access some limited resources actually, but they need to have more access than Internet only. For me to allow these devices to connect, they should authenticate by certificate. I want to make sure that they have certificates on their devices generated or issued by me, and these certificates are used to authenticate these devices. When they connect, they will get limited role. In my Instant ADs, the role is contractor. This role is created already in Instant. When these devices connect to my environment, I want them to get contractor role in Aruba Instant. One more thing by the way, I don't want them to consume any license in my Azure Cloud setup. I don't want my licenses to be used by contractors when it comes to Azure AD, I want them to connect to authenticate without using any of my licenses or any of my corp licenses in Azure AD. The other group is IT, they are internal, they are employees. They can bring their own devices. They can connect to my wireless using their personal devices, but before connecting they need to register their devices to Azure AD. As part of this registration, they will need to have into an integration and I need to make sure that their devices is fully compliant in Intune. As per the rules and policies I have an Intune. You may have different policies to make sure that the devices are secure enough to connect to your environment. In this course I will not create these policies, I will just focus on Intune integration just to make sure that the devices are compliant with your Intune policies regardless of what policies you have. I need to have some permission or some attribute from Intune telling me that the device is complaint before allowing this device to connect to my environment. When they connect with these devices, first of all the user should be valid, the device should be compliant. If both achieved, this device will get BYOD role in Aruba Instant. This role will give this IT users more access to your environment. The third group is by finance. This group is more limited, they cannot use any personal device. If they want to connect any device to this environment, the device must be a part of AD or must be part of Azure AD. The device should be owned by the corporate, it must join. There is a difference between register and join. Register is less than join. When it comes to IT they need only to register the device to make sure that they are compliant with Intune, but when it comes to finance they must join Active Directory. The device should be owned by the corporate, and again, it must comply with full Intune rules. Once connected to wireless, it will get role called FULL-ACCESS in Aruba Instant. What is the difference between distant and join? We'll discuss this more in Part 3. In Part 2, our focus will be on this scenario. We will achieve this scenario using on-board. In Part 3, our focus will be on this scenario. During this part or in this part, we'll discuss the difference between register and join, and between user-owned and company or corporate-owned devices. This is the end of Part 1. This part included introduction about the course, the agenda of this course, different scenarios we will discuss in this course. Also in this part we discussed in high level different Microsoft Azure services related to this integration. We talked little bit about Azure AD, we talked about Intune or endpoint management. We also talked about my Home lab setup. We discussed in high-level different components I have in MyLab: integrating between these components, IP addresses, and subnets I have in MyLab. Also we discussed my Active Directory or Azure AD groups and the requirements for each group. In the coming parts we will discuss in more details different scenarios and different requirements, and we'll see how to achieve these requirements in very simple and easy way. Thank you for joining. We hope this session was informative to you and see you in the next part. Thank you.
